Create and Host Tracking Protection Lists

Tracking Protection Lists help give consumers more control over their privacy. This information describes how to create Tracking Protection Lists (TPLs) and host them on your own or a central website such as the Internet Explorer Gallery.

What Are Tracking Protection Lists

A Tracking Protection List (TPL) is a simple UTF-8-format text file that you can host on a web server. Users can install a TPL directly from a website. As a user browses the web, some third-party content is allowed or blocked according to the rules defined in the TPLs that the user has installed. Periodically, Windows Internet Explorer checks installed TPLs for updates and can automatically download and apply changes so the latest protection is offered to the user.

Creating Tracking Protection Lists

A Tracking Protection List is an 8-bit Unicode Transformation Format (UTF-8) text file that contains a version header, comments, settings, and a set of allow or block rules.

TPL files are parsed in a stateless manner across lines, meaning that the order of the lines has no effect. The only exception is that the version header "msFilterList" must be the first line of the file.
Rules are used to indicate third-party content that is to be blocked or allowed. Third-party content is defined as having a different second-level domain name than the URL in the address bar.

Rules are matched against the URL of any third-party content that is downloaded in conjunction with the primary webpage. For blocking rules, a domain and/or a subdomain are specified. Optionally a string can be specified to further limit the scope.

Element

Description

Expected values

Example

msFilterList

Identifies the file as a Tracking Protection file. This is the only required element and must be the first line in the file.

Examples

Domain rules begin with a "+d" or "–d" and allow ("+") or block ("-") content on a particular third-party domain. If the domain rule is an allow rule, the string specified in the domain rule will be "anchored" on the right side of the matched domain. If the domain rule is a block rule, it will match any contiguous domain labels in the URL.

Domain Allow Rules Example

For example, given the following URL:

"http://www.glossary.contoso.com/file.html"

The following allow domain rules will match:

+d contoso.com

+d glossary.contoso.com

+d contoso.com file

+d contoso.com file.html

+d contoso.com html

The following allow domain rules will not match:

+d glossary.contoso

+d orderform.contoso.com

+d contoso.com /path/file.html

For example, given the following URL:

"http://www.glossary.contoso.com/file.html"

The following block domain rules will match:

-d contoso.com

-d glossary.contoso.com

-d contoso.com file

-d contoso.com file.html

-d contoso.com html

-d glossary.contoso

The following block domain rules will not match:

-d orderform.contoso.com

-d contoso.com /path/file.html

Substring rules

Substring rules specify a match of a portion or substring of a URL.
Substring rules can be only block (-) rules. Substring allow (+) rules are not permitted.

For example, given the following URL:

"http://www.contoso.com/test.html"

The following substring rules will match:

-contoso

-conto

-test.html

-co*so

The Wildcard Character

The wildcard character "*"can be used within a substring rule, and means "match 0 or more of any character."

The wildcard character cannot be used in the domain part of a domain rule. It can be used in the substring part of a domain rule.

For example, the following rule will match because the wildcard is used in the substring part of the domain rule:

"+d contoso.com sub*string"

The following rule is invalid because the wildcard is used in the domain part of the domain rule:

"+d contoso*.com substring "

Example Tracking Protection List File

Below is a complete example TPL. The comments in the TPL describe the various rules and settings in the TPL.

msFilterList
#
# Above is a version header.
#
# This is a comment. Any line that starts with
# a “#” character will be ignored.
#
# “Expires” sets the number of days when to check the server for an update
: Expires=3
#
#
# allow everything from contoso.com
+d contoso.com
#
# block anything containing the string “spam_ads”
- spam_ads
# block any file with name that starts with a “1x1” and has a “.gif” extension- 1x1*.gif
# block anything from treyresearch.net
-d treyresearch.net
# block bad_script.js from litwareinc.com
-d litwareinc.com bad_script.js

Multiple Lists and Rule Precedence

Users can install multiple Tracking Protection Lists, and can use them in conjunction with their Personalized Filtering List. When multiple lists are used, all of the rules from all of the TPLs are grouped together into a single list.

The precedence of rules for Tracking Protection is as follows:

Rules from the Personalized Filtering List if enabled in Manual Mode

TPL allow rules

TPL block rules

Rules from the Personalized Filtering List if enabled in Automatic Mode

For example, if a domain is allowed on one list, and blocked in another, the domain will be allowed. Similarly, if a user manually blocks a domain in a personalized list, and it is allowed in another, the domain will be blocked.

Performance Tips

Tracking Protection Lists can have a negative effect on browser performance if authored poorly. The following tips will help you write a fast-performing list:

Use domain rules wherever possible. Domain rules make it easy to match content on a domain, and they are optimized by Internet Explorer to run very quickly.

Limit the use of short substring rules. Writing many (> 25) short (fewer than eight characters) substring rules can have a negative impact on performance.

Expand out complex wildcard rules into multiple non-wildcard rules. Using wildcards, especially in the first eight characters of a rule, can negatively affect performance. When possible, refrain from using wildcards by writing multiple substring rules.

Deploying Tracking Protection Lists

Tracking Protection Lists can be hosted on any web server. A JavaScript method is added to a webpage that will prompt the user to add the TPL.

URL This is the URL of the list to be added. The URL can be a relative or absolute URL. An absolute URL does not need to be hosted on the same server as the page that calls the msAddTrackingProtectionList method.

description The description provided will be shown in the prompt to the user.

When this code is called, the user will see a dialog box similar to the following.

Detecting Whether Tracking Protection Lists Are Enabled

In addition to providing a link to download the TPL, a webpage can detect whether the user has enabled any Tracking Protection Lists, personal or otherwise. This could be good information for a network administrator to enforce the use of a corporate Tracking Protection List.

The following JavaScript method can be used in an if statement to determine whether any lists are enabled.

Note that lists can be installed, but not enabled. This method will tell you only whether any are enabled. For more information on this method, see the msTrackingProtectionEnabled method reference.

The following example contains two functions, one to check whether any lists are enabled, the other to import our fictious list. If you have lists off, click the "Check tracking protection" button first to confirm. Then click and load the sample file. When you click "Check tracking protection" again, you will see that it has been enabled.

Best Practices

Although there are no restrictions on creating lists, the following best practices help provide the best customer experience for your users:

Notice. Consider providing notice of the limits of your tracking protection list (that is, it is a privacy tool, not a privacy guarantee) to your users so they do not have unrealistic expectations. You might also want to consider including standard warranty disclaimers in your notice.

Some sites may choose to present this notice as part of their site's terms of use, while others might incorporate it into a click-through dialog box that is presented to users before they download the TPL.

Criteria. Consider publishing documentation on your site that explains the criteria you use to determine which sites will be included on the list. Having your criteria documented and following them when creating your TPL will help prevent confusion on the part of TPL users and third-party website publishers.

Inquiries. You might want to provide a process for third parties to follow if they have questions or concerns about your TPL. For example, a website owner might feel that their site has been incorrectly included on your list. A typographical error could lead to the wrong site being included, or a site’s privacy policy and practices may have changed after publication of your TPL.

Having a clear process in place for reviewing these inquiries and updating the TPL when appropriate will reduce your administrative burden and may help head off complaints from website owners.